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Abstract. A predicate linear temporal logic LTL\ = without quantifiers but 
with predicate abstraction mechanism and equality is considered. The models 
of LTL\ = can be naturally seen as the systems of pebbles (flexible constants) 
moving over the elements of some (possibly infinite) domain. This allows to use 
LTL\ = for the specification of dynamic systems using some resources, such as 
processes using memory locations, mobile agents occupying some sites, etc. On 
the other hand we show that LTL\= is not recursively axiomatizable and, there- 
fore, fully automated verification of LTL\ = specifications is not, in general, 
possible. 

1 Introduction 

In this paper we consider a predicate linear temporal logic LTL\ = without quantifiers 
but with predicate abstraction mechanism. The idea of predicate abstraction goes back 
to M. Fitting who has proposed this as the general technique for obtaining the modal 
logics, which are, in a sense, intermediate between propositional and first-order. He 
suggested to extend a modal propositional logic L by adding relation symbols, flexible 
constants and the operator of predicate abstraction, but no quantifiers. The abstraction 
is used as a scoping mechanism. Simple example of what the abstraction can be used 
for is given by the following two formulae: 0(Xx.P(x))(c) and (Xx.OP(x))(c). The 
first one says that P holds of what c designates in alternative world, while the second 
one says that at an alternative world P holds of what c designates in a current world. 

Such an extension (both with and without equality) can be alternatively seen 

as very restricted fragment of corresponding first-order variant QL of L. It is proved in 
[3] that such extension when applied to S5 leads to the undecidable logic Sb\= but for 
many other classical modal logics L their extensions L\(=) are still decidable. 

We apply such an extension to the classical propositional linear time logic. The 
models of LTL\ = can be naturally seen as the systems of pebbles (flexible constants) 
moving over the elements of some (possibly infinite) domain. This provides an abstract 
view on dynamic systems using some resources, such as processes using memory lo- 
cations, mobile agents occupying some sites, etc. Thus, despite being very restricted 
extension of propositional temporal logic, LTL\ = is suitable for specification of such 
systems. However, we show, as a main result of this paper, that LTL\ = is not only 
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undecidable, but even is not recursively axiomatizable. It follows that automatic verifi- 
cation of LTL\ = specifications is not, in general, possible. 

The paper is organised as follows. In the next section we present a syntax and se- 
mantics of LTL\ = . In Section 3 we demonstrate the expressive power of LTL\ = by 
giving a range of examples of properties expressible in LTL\ = , show the limitations 
of LTL\ = and discuss possible applications of LTL\ = for specifications of proto- 
cols. In Section 4 we present main ideas of modelling counter machines by pebble 
systems. In Section 5 we use these ideas for modelling Minsky machines computations 
in LTL\= and prove the main result. We conclude the paper by Section 6. 

2 Syntax and Semantics 

The content of this section is an adaptation of the corresponding section of [3] to the 
case of temporal logic. 

Let V = {x,y,xi,. . .} is an alphabet of variables and C = {a, b, c, ci, . . .} is an 
alphabet of constant symbols. For each n let lZ n = {P, R,R\,...} is an alphabet of 
n-ary relational symbols. We refer to the tuple £ = (V, C, 1Z) as to the alphabet. 

One may include or not an equality = in the alphabet of binary relations symbols. 
In this paper we consider only the case with equality. A term is a constant symbol or a 
variable. 

Definition 1. The set of LTL\ = -formulas (in the alphabet C) and their free variables, 
are defined as follows. 

1. If 7? is an n-ary relation symbol and xi, X2, ■ ■ ■ are variables, then R(xi,x 2 , . . . x n ) 
is a formula with x\ , X2 , ■ ■ ■ as its free variable occurrences. 

2. if <p is a formula, then -up, □</?, Otp, Op, Mtp, ♦</?, tp are formulas. Free vari- 
able occurrences are those of ip 

3. If ip and ip are formulas, then (tp A -0), (<p V -0) and (<p — > tp) are formulas. Free 
variable occurrences are those of ip together with those of ip. 

4. If ip is a formula, a; is a variable, and t is a term, then (\x.tp)(t) is a formula. Free 
variable occurences are those of <p, except for occurrences of x, together with t if it 
is a variable. 

A formula <p is called a sentence iff it does not have free variable occurences. 

Formulae of LTL\ = are interpreted in first-order temporal models with the time 
flow isomorphic to the structure (N, <, succ), where N is the set of natural numbers, < 
is usual order relation on N, and succ is a successor operation on N. 

Definition 2. A model is a structure SDT = (D,T) , where: 

1 . D is a non-empty set, the domain; 

2. I is an interpretation mapping that assigns: 

- to each constant symbol some function from N to D; 

- to each n-ary relation symbol some function from N to 2 D (the power set of 



3. I(=) is the constant function assigning the equality relation on D to every moment 
of time from N. 

First-order (non-temporal) structures corresponding to each point of time will be 
denoted Wl n = (D,2(n)). Intuitively, the interpretations of LTL\= -formulae are 
sequences of first-order structures, or states of Wl, such as WIq, Tli , . . . , 97l„ .... 

An assignment in D is a function a from the set V of individual variables to D. Thus 
we assume that (individual) variables of LTL\ = are rigid, that is assignments do not 
depend on the state in which variables are evaluated. In contrast, as follows from Defi- 
nition 2 the constants are assumed to be non-rigid (flexible), that is their interpretations 
depend on moments of time (states). For a constant c we call element 1(c) (n) of D also 
a designation of c at the moment n. The assignment a is extended to the assignment 
(a * 1) : (C U V) — > D of all terms in the usual way: 

1. For a variable x, (a * T)(x,n) — a(x); 

2. For a constant c, (a * T)(c, n) = l(c)(n). 

If P is a predicate symbol then (or simply P n if I is understood) is the 

interpretation of P in the state 9Jl„. 

Definition 3. The truth- relation 50T„ ^ a <p (or simply n |=° c^>, if £DT is understood ) in 
the structure 9Jt for the assignment a is defined inductively in the usual way under the 
following semantics of temporal operators: 

n \= a Otp iff n + 1 h° <p; 

n \= a <f iff there is m > n such that m ^ a ip; 

n\= a \3f iff m |= a ip for all m > n; 

n h Q O <fi iff n - 1 (=" <P> 

n |= a ♦ ip iff there is < m < n such that m |= a ip; 
n \= a ■ ip iff m \= a ip for all < m < n. 

For the case of abstraction we have: 

n \= a (Xx.ip)(t) iff n |= Q p, where a' coincide with a on all variables except x 
and a'(x) = (a* n). 

A formula ip is said to be satisfiable if there is a first-order structure Wl and an 
assignment a such that Wl |= Q ip. If Tl |= a p for every structure Wl and for all 
assignments a then <p is said to be valid. Note that formulae here are interpreted in the 
initial state Tin- 

We conclude this section by introducing an useful notation. Given a model 3JI = 
(D,I) and constant c denote by V™ the set of elements of D visited by c up to the 
moment n, that is V" = {l(m)(c) \ < m < n}. Then V c = D^V* is the set of 
elements of D visited by c in the model SOT. 



3 Properties expressible in LTL X = 



Despite being very restricted fragment of the first-order temporal logic the logic LTL\ = 
can express many non-trivial properties of its models. Because of the interpretation 
given to flexible constants (by a function from N to D) they can be though of as the 
pebbles moving over elements of the domain as the time goes by. Then, even in the 
absence of any other predicate symbols except equality, one can express dynamic prop- 
erties of the system of pebbles evolving in time: 

• Always New(d) □(Ax. O ^i^V-U 7^ x )(d))(d). The constant d has different 
designations at different moments of time (the pebble d occupies different positions 
in different moments of time). 

• Same(a, b) <^> (Xx.{Xy.x = y)(a))(b). The constants a and b have the same des- 
ignation now. (The pebbles are on the same place now). 

• SameInPast(a,d) (Xx. + (Xy.y = x)(d))(a). The constant a has the same 
designation as d had in the past. 

• NoChange(c) (Ax. O (ty- x — 2/)( c ))( c )- The constant c has the same desig- 
nation at the current and next moments of time. 

• Always Return(a) ^ 0(Xx.(Q()(Xy.x = y)(a))(a). The pebble a always return 
to the place it occupies at any given moment of time. 

Next, we present two examples of more complex formulae, which will play special 
role later on: 

• NextNewl(a, d, c) (\w.(\x.+({\y.y = x)(d)AO{Xv.(v = w)) (d))) (a)) (c) A 
{Xz.O(Xt.(t = z)){a))){c) 

• NextNew2(a, d) & 0(\w. Q(Xx.^((Xy.y = x){d)AO(Xv.(v = w))(d)))(a))(a) 

Both formulae express the same fact about the behaviour of pebbles a and d: the pebble 
a moves in the next moment of time to the position to which the pebble d has moved 
from the position which a is occupying now. In other words a moves in the same way as 
d did from the same position. The difference between two formulae is that NextNewl 
does not use "last" operator Q but at the expense of an additional flexible constant. 

In the above formulae no predicate symbols except equality was used. One example 
of the formula with additional binary predicate E is 

\J((Xx.(Xy.(E(x, y) <- (\JE(x, y) A ME(x, 2/))))(ci))(c 2 )) 

This formula says that predicate E, restricted to the pairs of elements of domain, 
visited by first and second constant, respectively, is rigid. But E may well have different 
interpretations at different moments of times on all other pairs of elements. This exam- 
ple illustrates also the pebble locality of properties expressible by LTL\ = formulae. 
Pebble locality of the property means the property depends only on the interpretations 
of predicate symbols on the elements of the domains ever visited by pebbles. In fact, 
only such properties are expressible in LTL\ = as the Proposition 1 shows. 

Definition 4. Given an alphabet C = (V, C, TZ = U neN K n ). Two models Wl = (D, I) 
and 9JI' = (D',1 1 ) are said to be pebble equivalent with respect to C and this is denoted 
by M = p c 971' iff 



- Vc G C Mi G N (2(c)(i) G D<T)D' M'(c) G DC\D') (constants of both models are 
interpreted on the common part of the domains; actually, it follows from the next 
clause); 

- Vc G C Mi G N 1(c) (i) — T'(c)(i) (interpretations of any constant at any moment 
of time coincide in both models); 

- MP G TZ n Mi e N Mv G V x V x ...Vfi G I(P){i) 0»6 T{P){i)] for every 

n times 

arity n; here V = U ce cV c (interpretations of predicate symbols coincide in both 
models on the elements of the domains visited by constants). 

Proposition 1. Let ip G LTL\ = is a sentence in alphabet C Then it can not distinguish 
pebble equivalent models, that is 971 = p c 971' => [97t \= p <^ W \= p] 

Proof. The proof is based on easy induction on the formula structure using Definition 3. 
The induction assumption is that for any formula ip possibly including free variables the 
truth value n (= Q ip depends only on the assignment of free variables, on the interpre- 
tation of flexible constants and on the interpretation of predicate symbols on elements 
of V. Since a sentence does not inlude free variable occurences, the statement of the 
proposition follows. □ 

We use pebble locality now to show that LTL\ = is less experessive that the full 
first-order linear temporal logic FOLTL where unrestricted quantification is allowed. 
In what follows we assume the semantics of FOLTL with flexible predicates and rigid 
constants. Consider the FOLTL formula in a vocabulary consisting single binary pred- 
icate symbol E: 

U(MxMyE(x,y)^OE(x,y)) 

The formula expresses persistence of the interpretation of E along the time flow. 
Such a property can not be expressed by any formula of LTL\ = as the following propo- 
sition shows. 

Proposition 2. Let C = (V, C, TV) be an alphabet with 1Z containing a single binary 
predicate symbol, and C be an arbitrary set of flexible constant symbols. For any sat- 
isfiable sentence p of LTL\ = in alphabet C there is a model satisfying p with non 
persistent interpretation of E. 

Proof. Take any model 9JI = (D,I) such that Wl \= p. Then construct a new model 
971' = (D',T) where D' = D U D", D" n D = and D" contains two elements. For 
any constant c put I'(c) = 1(c), i.e. constants do not visit any element of D". Choose 
any interpretation X' (E) of E which satisfies: 

- Mx,y G D Mn G N ((x,y) G T'(E)(n) & (x,y) G I(E)(n)) 

- Mx,yeD" MkeN({x,y) G T'(E)(2k) A (x, y) £T{E){2k + l)) 

Notice that we don't care how T'(E) is defined on all other pairs of elements. 

Then we have 971' is pebble equivalent to 971 and therefore M' \= p. The interpre- 
tation of E in 97T' depends on time. □ 



3.1 Pebble systems and agents using resources 

The above metaphor of pebble system may also be seen as the very abstract model 
of computational processes (agents) using some resources. In such a model a pebble, 
or, indeed non-rigid constant c may be thought of as an computational process and 
elements of the domain as the abstract resources. Then, if at some moment of time a 
designation of c is an element x of the domain, one may understand it as "c uses the 
resource x" . To model the situation with processes, or agents using several resources 
at the same time, one may associate with an agent a set of flexible constants (pebbles). 
Another natural reading of the above situation may be "the mobile agent c resides at the 
host x". Taking this point, the formulae of LTL\ = can be used to specify protocols, 
policies or requirements for agents operating within the common pool of resources. 
Pointing out this possibility, we restrict ourselves in this paper with the simple example 
of communicating protocol for mobile agents. 

3.2 An example of communication protocol for Mobile Agents 

Let us suppose the following scenario where a group of communicating mobile agents 
explore some hosts and transmit messages to each other. Because mobile agents can 
move autonomously from host to host, they cannot reliably know the location of their 
communication peer. Therefore, a practical communication protocol somehow must 
keep track of agent locations, allowing each agent to send messages to its peers without 
knowing where they physically reside. 

There are many mobile agent tracking protocols, that use a forwarding pointers 
mechanism[l]. It means that each host on mobile agents migration path keeps a for- 
warding pointer to the next host on the path. The classical primitive for such protocol 
is based on knowledge of each sender the target agent's home. So messages are sent 
to the agent's home and forwarded to the target object along the forwarding pointers. 
Interesting alternative is a primitive find a host, which was visited both by sender and 
receiver 1 . Using this primitive the messages are again forwarded to the target object 
along the forwarding pointers but from the host where the mobile agents migration 
paths intersect (see Figure 1). 

We can specify the use of this primitive in LTL\ = as follows. For simplicity we 
assume that receiver always either do not move or move to the new host (never revisiting 
the hosts it already visited). 

Let flexible constants s and r denote communicating mobile agents (sender and 
receiver, respectively) and m denotes the message. Then LTL\ = -formula 

Same(s, m) AO (Xz. (♦ (Xx.+{Xy.x = yAy = z)(r))(s))(m))AO □ NextNew2(m, r) 

describes the above protocol: at some moment of time message m is on the same hosts 
as s, then it moves along the path of r, starting from a host which both s and r have 
visited (and r done it no later than s). 

1 We don't consider the issue of implementation of such a primitive and note that this can be 
done in various ways. 
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Fig. 1. A mobile agent tracking protocols: the operation of sending message from agent a to agent 
b. 

It should be clear now, that LTL\ = is expressive enough to formulate also the 
correctness conditions for such protocols, like once the message sent, it will be delivered 
eventually to a receiver. Of course, one needs to specify some extra conditions which 
would guarantee correctness: receiver must stop and wait in order to receive a message 
(otherwise the message may always be behind the receiver). Or, one may specify the 
different speed of messages and agents, which would guarantee delivery even to the 
agents "on move". One way of doing this in LTL\ = is to specify that messages can 
move to the new host every round (discrete moment of time), while mobile agents can 
move only every second round. Thus, the proof of correctness of the above protocol 
may be reduced to the validity checking for some LTL\= -formulae. We don't pursue 
a goal of automatic verification of protocols via validity checking (theorem proving) 
for LTL\ = -formulae in this paper, but rather demonstrate a related negative result 
on LTL\ = itself: it is highly undecidable and, therefore, fully automated verification 
based on validity checking of LTL\ = -formulae is not possible. 



4 Minsky machines and their modelling by pebbled sets 

In this section we use a well known model of Minsky machine to show universality of 
pebbled sets model. Informally speaking, Minsky machine is a two counter machine 
that can increment and decrement counters by one and test them for zero. It is known 
that Minsky machines represents a universal model of computations [7]. Being of very 
simple structure the Minsky machine are very useful for proving undecidability results 
(see for example [4, 5]). 

It is convenient to represent a counter machine as a simple imperative program M 
consisting of a sequence of instructions labelled by natural numbers from 1 to some L. 
Any instruction is one of the following forms: 

I: ADD 1 to S k ; GOTO I'; 

I: IF S k ^ THEN SUBTRACT 1 FROM S k ; GOTO V ELSE GOTO I"; 
I: STOP. 



where k e {1,2} and I, I', I" S {1, . . . , L}. 

The machine M starts executing with some initial nonnegative integer values in 
counters S\ and 5 2 and the control at instruction labelled 1. We assume the semantics 
of all above instructions and of entire program is clear. Without loss of generality one 
can suppose that every machine contains exactly one instruction of the form I: STOP 
which is the last one (I = L). It should be clear that the execution process (run) is 
deterministic and has no failure. Any such process is either finished by the execution of 
L: STOP instruction or lasts forever. 

As a consequence of the universality of such computational model the halting prob- 
lem for Minsky machines is undecidable: 

Theorem 1 ([7]). It is undecidable whether a two-counter Minsky machine halts when 
both counters initially contain 0. 

We will use the following consequence of Theorem 1 . 

Corollary 1. The set of all Minsky machines which begin with both counters containing 
and do not halt is not recursively enumerable. 

Given any machine A4 (with initial values for the two counters) let us define its run r M 
as a sequence of triples, or states of r M : 

{h,p\,P%), {h,p\,p\), ■ ■ ■ {lj+i,p{,pi), ■ ■ ■ 

where lj is the label of the instruction to be executed at jth step of computation, p\ and 
p 3 2 are the nonnegative integers within the first and the second counters, respectively, 
after completion of jth step of computation. Depending on whether M. stops or not r M 
can be finite or infinite. 

Henceforth we will consider only the computations of the Minsky machines started 
with both counters containing 0. Thus we always put p\ = 0, p° — an d h = 1- 

4.1 Modelling Minsky machines by systems of pebbles 

We will show our main result on non-r.e. axiomatizability of LTL\ = by modelling the 
computations of two counter Minsky machines in that logic. In fact we are going to 
model such machines by pebble systems and then just express required properties of 
such systems in the logic. In this subsection we explain the main idea of modelling, 
leaving all details of LTL\ = representation to the next section. Actually we suggest 
two methods of Minsky Machine modelling using pebbles. Both of them are based on 
the same idea, but use different number of pebbles and basis operations, that require 
different temporal operators. 

Method 1. Given a pebble system with tree pebbles a, b, d. We denote the set of 
all elements that was visited by a pebble a (b) until the moment of time i by V* (V b J ). 
One may use then two pebbles, say a and b to model the counter's values as follows. 
We represent the counter's value at the moment i as the cardinality of the set V* (~l V^. 
Increasing one of the sets of elements visited by a, or by b one may increase or decrease 
the counter value. Our modelling will ensure that Vi.Vg C V*. That means the counter's 
value at the moment i is in fact card(V*) — card(Vg) (see Figure 2). 
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Counter-0 Counter=l Counter=2 Counter-1 Counter-2 Counter=l Counter-0 

Fig. 2. First method of encoding 



Due to peculiarities of logical representation we confine the range of the elements 
visited by both pebbles to the set of elements visited by another special pebble d. We 
require d moves every time to the new element and we have Vj C V a l C V^. 

Let us show how to increase and decrease the cardinality of the set V* H V£. Since 
the pebble d generates unique sequence of elements from the domain as the time goes 
by we can use this unique sequence for increasing of the cardinality of V* or V£ by one. 

Let pebble a (b) is on an element x of the domain. Since a is moving strictly along 
the path of d, the pebble d has visited the element x and moved to another element y. 
So in order to increase the cardinality of V* (V^) by one we need to move the pebble a 
(b) to the element y. In other words a (b) moves in the same way as d did from the same 
position. 

We can increase (decrease) the value of counter by one or in other words increase 
(decrease) the cardinality of the set C — V* CI by one if we increase the cardinality 
of the set (VJj 1 ) by one according to the above procedure. Since there is a strict order 
of unique elements that we use for moving pebbles along the path of d we can easily 
test the emptiness of the counter or emptiness of the set C by checking if the pebble a 
and the pebble b are on the same element (see Figure 3). 
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Fig. 3. Pebbels a and b moves in the same way as d did from the same position. 



Method 2. In the second method we again use pebbles a, b and d, but it will be 
enough to model even two counters at the same time. We require d to move to the new 
element of the domain every next time step. Also we are going to define the moving of 
pebbles a and b in such way that we have V* C V\ and C VJ. 

In contrast to the previous method we use here a different coding of counters. Let 
the pebble a is on the element u of the domain and the pebble b is on the element v of 
the domain and both of these elements have been already visited by d in moments of 
time i and j correspondingly. In such case the cardinality of stands for one counter 
and V$ stands for another one (see Figure 4). 




Counter-0 Counter-1 Counter-2 Counter=l Counter-0 Counter=l 

Fig. 4. Second method of encoding. 



Now we define the increment operation, decrement operation and testing for zero in 
terms of pebbles a, b and d. According to the above coding we can change first (second) 
counter by moving the pebble a (b) along the path of the pebble d. 

Let pebble a is on a place y, which is an element of the domain and the pebble d 
has visited element y in the time step i from some element x and then moved to another 
element z in time step i + 1 . So in order to increase the first counter we need to move the 
pebble a to the element z and for decreasing by one we need to move a to the element 
x. Now the value of the counter will be represented by after increment operation 
and Vj _1 after decrement operation. In a similar way we can model another counter 
using the pebble b. 

The final operation is testing for zero that can be modelled by checking if the pebble 
a (b) is on the element which was an initial position of d. 



5 Modelling of Minsky machines in LTL\= 

In the translation of Minsky machines into formulae of LTL\ = we will use the formu- 
lae defined in the section 3. We implement the Method 1 from the previous section and 
note that Method 2 could be used instead. 



5.1 Translation 



Given a Minsky machine M denned by the sequence of instructions ci, . . . Cl we define 
LTL\ = temporal formula \ M as follows. 

Let ei, . . . , ej, be flexible constants corresponding to instructions ci, . . . , Ci,. Let eo 
and / be two additional constants. The intention is to model the fact "q is executed at 
the moment t" by coincidence of designations of e; and / at the moment t. We denote 
by Qi the formula expressing this fact: (Xx.(Xy.x = y){ei)){f). Since we assume 
is the STOP instruction we will denote Ql alternatively as Q s t op - Further we have five 
more constants for modelling counters: d, a\, b\, a 2 , b 2 - 

Then, for every instruction q, except / : STOP, we define its translation x(c;) as 
follows: 

A. An instruction of the form 
I : ADD 1 to S^; GOTO 

is translated into the conjunction of the following formulae: 

Al. D(Q t -> NextNew(a fe ,d)) 
A2. D(Q, -> NoChange(6 fe )) 
A3. U(Qi ^ NoChange(a 3 _ fe )) 
A4. D(Q, NoChange(6 3 _ fe )) 
A5. B(Qi -> OQl') 

Formulae A1-A4 ensure that in every temporal model 9J? for them, once we have Q™ = 
true at a moment n, at the next moment the interpretation of the flexible constant a k 
changes to a new value, while b k ,a 3 - k and b 3 ^ k keep their interpretation intact. The 
formula A5 describes switching truth values of propositions Qi (i 6 {1, . . . L}) and the 
aim here is to model the transition from the instruction which is executed to the next 
one. 

B. An instruction of the form 

/ : IF S k ± THEN SUBTRACT 1 FROM S k ; GOTO V ELSE GOTO l"\ 

is translated into the conjunction of the following formulae: 

Bl. U{Qi A ^Same(a/ £ , b k ) — > NoChange(a fc )) 
B2. n(Qi A ^Same(a fc , b k ) -> NextNew(6 fc , dj) 
B3. D(Qi A ^Same(a fe , b k ) — > NoChange(a 3 _ fe )) 
B4. □(Q; A -.Same(a fe ,6fc) -> NoChange(a 3 _ fe )) 

B5. n(Q; A Same(a fe ,6 fe ) — > NoChange(a fc ) A NoChange(6 fe ) A NoChange(a 3 _ fe ) A 

NoChange(6 3 _ fe )) 
B6. n(Q; A ^Same(a k , b k ) — > OQi') 
B7. D(Qi A Same(a fc , 6 fe ) -> OQi") 



Formulae B1-B4 ensure that, in every temporal model for them, once we have Qi and 
the interpretations of and bk are different (meaning "/est counter has non-zero value") 
the interpretation of bk changes in the next moment of time, while interpretations of 
a*;, a 3 _fc and 6 3 _fc still the same. Formula B5 ensures that, when Qi and interpretations 
of ak and bk are the same (meaning "counter k has zero value") then interpretations 
dk, bk, ci3-k,b3-k should still the same in the next moment of time. Formulae B6 and 
B7 regulate the switching of truth values of Qi (i e {1, . . . L}). 

Further, let the formula xo be conjunction of the following formulae: 

- Qo A Same(d, ai) A Same(oi,6i) A Same(&i,a 2 ) A Same(a 2 ,& 2 ) At the initial 
moment of time the constants d, a\,a2,b\, 6 2 have the same designation. 

- 0(Qi A Same(ai,a,2) A 5ame(a 2 , bi) A Same{b\, 6 2 ) A -^Same{a\,d)) At the 
next moment of time Qi holds and d, ai, a 2 , 61, 6 2 have the same designations, 
while d has the different designation. 

- AlwaysNew(d) A □ {Ai<i<j<L ~'Same(e i , ej)), stating that d has different des- 
ignations at different moments of time and e\, . . . ej, all have different interpreta- 
tions. 

Finally, let X M be t\i=i{x{ck)) where M is a Minsky machine defined by the 
sequence of instructions C\, . . . , Cl- 

The formula xo A x M is intended to faithfully describe the computation of the 
machine M and the following lemma provides a formal justification for this. 

Lemma 1. A Minsky machine M produces an infinite run if, and only if, xo A \ M \= 
Q ~~ 'Q stop- 
Proof. 

I => I Let a machine A4 produces an infinite run 

r M = {h,Pi,P2), {h,p\,p\), ■ ■ ■ (lj+i,p{,pi), ■ ■ ., and a temporal structure Wl = 
(D,T) is a model of xo A \ M ■ Straightforward induction on steps in r M shows that, 
for all j > 1, the following relation between states of M and SOT holds: 

lj = I whenever j \= Qi; 

p{ = \vl +1 ^vt T \ = \vl +1 \-K +1 \-, 
ti = \vl +1 nvi +1 \ = \vi+i\-\vi +1 \. 

Since the run r M is infinite we have lj ^ L for all j > 1, and therefore j \= ^Q s t op 
for all j > 0. Hence, |= \Zl^Qsto P 

I <= I By contraposition it is sufficient to show that if a machine M produces a finite run 
(halts) then xo A \ M A OQstop is satisfiable. 

Let a machine, A4, halt and produce a finite run r M = {h,p\,P2), ■ ■ ■ (^s+i,pf,P 2 ), 
s > 0. The final executed instruction is the STOP instruction, so we have l s+ \ = L. 
Now, we construct a temporal structure 9Jt„ = (D,T(n)) as follows. We let the domain 
D be a countable set. Then, for all < j < s + 1, we ensure j |= Qi whenever lj = I, 
and j |= Qstop for all j > s + 1. Further we set I(j)(d) (designations of d) to be 
different elements of the domain for all j > 0. 



Further, we set 

|= Same(d, a\) A Same(ai, b\) A Same(&i, (12) A Same(a2, 62), and 

1 |= Qi A Same(a\, 02) A Same(a,2, b\) A Same{b\, 62) A -^Same(a\, d). 
Further define designations of ai, 02, 61, 62 for 2 < j < s inductively as follows: 

- If the instruction with the label lj is of the first form (ADD) then define I(j)(ak) = 
I(m + l)(cT), where m is a such moment of time that I(j — l)(afe) = I(m)(d) and 
leave designations of the remaining constants the same as in j — 1. 

- If the instruction with label lj is of the second form (SUBTRACT) and (j — 1) |= 
^Same(a,k, bk) then define I(j)(bk) = I(m + l)(d), where mis a such moment of 
time that I(j—l)(bk) = I(m)(d) and leave designations of the remaining constants 
the same as in j — 1. 

- If the instruction with the label lj is of the second form (SUBTRACT) and ( j - 1) |= 
Same(a,k, bk) then leave designations of all constants (ak, bk, k=l,2) the same as 
in j - 1. 

Finally, assume designations of 01, b\, 02, 62 to be arbitrary for all j > s. 

It is easily seen that this overall construction provides a model for xo A x M an d since 
l s+ i = L one also has s \= Q s to P - Thus, xo A x M A OQstop is satisfied in 971. 

Now from Theorem 1 and Lemma 1 our main result follows: 

Theorem 2. The set of valid formulas ofLTL\ = is not recursively enumerable. 

6 Conclusion 

We have considered the extension LTL\ = of classical propositional temporal logic 
PTL and shown that the logic is suitable for specifications of dynamic systems using 
some resources, such as processes using memory locations or mobile agents occupying 
some sites. Despite its simplicity LTL\ = proved to be not recursively axiomatizable 
and, therefore, fully automated verification of LTL\ = specifications is not, in gen- 
eral, possible. Identification of decidable fragments of LTL\ = (if any) is an interesting 
problem for further research. We believe that undecidability holds also for the future 
time fragment of LTL\ = . We leave detailed exposition of this case as well as the in- 
vestigation of LTL\ (without equality) and LTL X (=) with restrictions on the number 
of flexible constants to the future work. 
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